Add the Keycloak.Net.Authentification and Keycloak.Net.Authorization nuget packages to your project.
Api calls requires auhorization header with an JWT token from Keycloak.
POST https://yourapi/action HTTP/1.1
Auhorization: Bearer JwtTokenContent
Add to program.cs of your api
using Keycloak.Net.Authentication;
using Keycloak.Net.Authorization;
new code 👆
.
builder.Services
.AddKeyCloakAuthentication()
.AddKeyCloakJwtBearerOptions("appsettings_section_name");
.....
app.UseAuthentication();
app.UseAuthorization();
Add section to the appsettings.{Environment}.json
{
"KeycloakUrl": "<<FROM_USER_SECRET>>",
"RealmName": "<<FROM_USER_SECRET>>",
"appsettings_section_name": {
"Authority": "{KeycloakUrl}{RealmName}",
"Audience": "<<Audience>>"
}
// or
"appsettings_section_name": {
"Authority": "{KeycloakUrl}{RealmName}",
"ValidAudience": "<<Audience>>"
}
//or
"appsettings_section_name": {
"Authority": "{KeycloakUrl}{RealmName}",
"ValidAudiences": ["<<Audience>>"]
}
}
builder.Services
.AddKeyCloakAuthentication()
.AddKeyCloakJwtBearerOptions("appsettings_section_name", options =>
{
options.Audience = "<<Audience>>";
options.SaveToken = true;
options.TokenValidationParameters.ClockSkew = TimeSpan.FromSeconds(30);
});
#### Option no.4
- You have to manually configure the JwtBearerOtions.
```csharp
builder.Services
.AddKeyCloakAuthentication()
.AddJwtBearerOptions(options =>
{
options.Authority = "https://{host}/realms/{realm}";
options.Audience = "<<Audience>>";
......
options.TokenValidationParameters = new TokenValidationParameters( options =>
{
options.ClockSkew = TimeSpan.FromSeconds(30);
.......
});
});
{
"KeycloakUrl": "<<FROM_USER_SECRET>>",
"RealmName": "<<FROM_USER_SECRET>>",
"appsettings_section_name": {
"Authority": "{KeycloakUrl}{RealmName}",
"Audience": "<<Audience>>",
"NameClaim: "<<NameOfClaimWhichShouldBeSetToNameClaim>>"
}
}
using Keycloak.Net.Authentication;
using Keycloak.Net.Authorization;
new code 👆
.....
👇new code
builder.Services
// Keycloak.Net.Authentication services
.AddKeyCloakAuthentication()
.AddKeyCloakJwtBearerOptions("appsettings_section_name");
.....
app.UseAuthentication();
app.UseAuthorization();
Configure using the Action<ClientConfiguration>
builder.Services
// Keycloak.Net.Authentication services
.AddKeyCloakAuthentication()
.AddKeyCloakJwtBearerOptions("appsettings_section_name");
.AddUma(client =>
{
client.ClientId = "client-role";
});
new code 👆
.....
👇new code
app.UseUma();
app.UseAuthentication();
app.UseAuthorization();
Configure by appsettings.{Environment}.json
builder.Services
// Keycloak.Net.Authentication services
.AddKeyCloakAuthentication()
.AddKeyCloakJwtBearerOptions("Appsettings_Section_Name")
.AddUma("Client_Section_Name);
new code 👆
.....
👇new code
app.UseUma();
app.UseAuthentication();
app.UseAuthorization();
Add to your appsettings.{Environment}.json
{
"Client_Section_Name": {
"ClientId": "<CLIENT_NAME>"
}
Extra AuthorizationOptions configuration can be added
.AddUma("Client", configure =>
{
configure.AddPolicy("<<policy_name>>", configure =>
{
configure.RequireClaim("<<claim_name>>", "<<claim_value>>");
});
configure.AddPolicy("<<policy_name>>", policy =>
{
policy.RequireUserName("<<username>>");
});
configure.AddPolicy("<<policy_name>>", policy =>
{
policy.RequireAuthenticatedUser();
});
configure.AddPolicy("<<policy_name>>", policy =>
{
policy.RequireRole("<<role_name>>");
});
})
Via custom extenxion method
app.MapGet("api/example", () =>
Results.Ok()
.RequireUmaAuthorization(resource: "<<resource>>", scope: "<<scope>>");
Via Attribute
app.MapGet("api/example", [Permission(Resource = "<<resource>>", Scope = "<<scope>>")] () =>
Results.Ok();
Via ASP.NET extension method. The policy string format is: Permission:«resource»,«scope»
app.MapGet("api/example", () =>
Results.Ok()
.RequireAuthorization("Permission:<<resource>>,<<scope>>");
The UseUMA
middleware exchange the JWT of the request with a RPT received from Keycloak auth server after validating the realm access permission.
The RPT contains the permission granted by the auth server, and is used to autorize access of the resources.